GHSA-h45m-mgcp-q388: openssl-encrypt: TOTP rate limiter is in-memory only — not shared across workers, lost on restart

March 31, 2026

The TOTP brute-force rate limiter in openssl_encrypt_server/modules/pepper/totp.py at lines 47-98 uses an in-memory defaultdict(list) as a class variable.

References

github.com/advisories/GHSA-h45m-mgcp-q388
github.com/jahlives/openssl_encrypt
github.com/jahlives/openssl_encrypt/commit/2749bc0949b34a5921a35fb4a3f1856fc51916de
github.com/jahlives/openssl_encrypt/security/advisories/GHSA-h45m-mgcp-q388

Code Behaviors & Features

Detect and mitigate GHSA-h45m-mgcp-q388 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →